diff options
| author | Patrick Uiterwijk <puiterwijk@redhat.com> | 2016-10-18 17:43:01 +0000 |
|---|---|---|
| committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2016-10-18 17:43:22 +0000 |
| commit | c74bd6d108aadd437411ac55a67a015523b92d05 (patch) | |
| tree | b79b950b3ceabdfc99ae758b4e7d0ae5cc9f0074 /roles/ipa/server | |
| parent | 70dc0c4c0f64eae69fcbde281d33ea54a5da0c9e (diff) | |
| download | ansible-c74bd6d108aadd437411ac55a67a015523b92d05.tar.gz ansible-c74bd6d108aadd437411ac55a67a015523b92d05.tar.xz ansible-c74bd6d108aadd437411ac55a67a015523b92d05.zip | |
Move ipa to ipa/server
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Diffstat (limited to 'roles/ipa/server')
| -rw-r--r-- | roles/ipa/server/files/configure-ipa.sh | 33 | ||||
| -rw-r--r-- | roles/ipa/server/tasks/main.yml | 135 |
2 files changed, 168 insertions, 0 deletions
diff --git a/roles/ipa/server/files/configure-ipa.sh b/roles/ipa/server/files/configure-ipa.sh new file mode 100644 index 000000000..eca8875f2 --- /dev/null +++ b/roles/ipa/server/files/configure-ipa.sh @@ -0,0 +1,33 @@ +#!/bin/bash +ADMIN_PASSWORD="$1" +DM_PASSWORD="$2" + +function cleanup { + kdestroy -A +} +trap cleanup EXIT + +echo $ADMIN_PASSWORD | kinit admin + +# Disallow all users to change their own settings +ipa selfservice-find | grep "Self-service name:" | sed -e "s/ Self-service name: //" | \ +while read line +do + echo "Removing $line" + ipa selfservice-del "$line" +done + +# Create fas_sync user +ipa user-add fas_sync --first=FAS --last=Sync + +# Allow sync user to create and edit users +ipa group-add-member admins --users=fas_sync + +# Allow sync user to update passwords +ldapmodify -x -D "cn=Directory Manager" -w "$DM_PASSWORD" -h localhost -p 389 <<EOF +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +changetype: modify +add: passSyncManagersDNs +passSyncManagersDNs: uid=fas_sync,cn=users,cn=accounts,dc=fedoraproject,dc=org +EOF +exit 0 diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml new file mode 100644 index 000000000..a927881a7 --- /dev/null +++ b/roles/ipa/server/tasks/main.yml @@ -0,0 +1,135 @@ +--- +# Configuration for IPA + +- name: install needed packages + yum: pkg={{ item }} state=present + with_items: + - haveged + - ipa-server + - ipa-server-dns + tags: + - ipa/server + - packages + +- name: enable haveged + service: name=haveged state=started enabled=yes + tags: + - ipa/server + - config + +- name: install IPA + command: ipa-server-install + --realm={{ipa_realm}} + --domain={{ipa_realm}} + --ds-password={{ipa_dm_password}} + --admin-password={{ipa_admin_password}} + --mkhomedir + --no-ntp + --unattended + --no-ssh + --no-sshd + --setup-dns + --forwarder=10.5.126.21 + --forwarder=10.5.126.22 + --log-file=/var/log/ipainstall.log + creates=/etc/ipa/default.conf + tags: + - ipa/server + - config + when: inventory_hostname.startswith("ipa01") + +- name: install IPA vault + command: ipa-kra-install + --password={{ipa_dm_password}} + --unattended + --log-file=/var/log/ipakrainstall.log + creates=/var/log/ipakrainstall.log + tags: + - ipa/server + - config + when: inventory_hostname.startswith("ipa01") + +- name: determine whether we need to set up replication + stat: path=/etc/ipa/default.conf + register: replication_status + tags: + - ipa/server + - config + when: not inventory_hostname.startswith("ipa01") + +- name: create replica file + delegate_to: ipa01.phx2.fedoraproject.org + command: ipa-replica-prepare + --password={{ipa_dm_password}} + --ip-address={{eth0_ip}} + {{inventory_hostname}} + creates=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg + tags: + - ipa/server + - config + when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists + +- name: retrieve replica file + delegate_to: ipa01.phx2.fedoraproject.org + fetch: src=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg + dest=/tmp/ipa_replica_{{inventory_hostname}}.gpg + flat=yes + tags: + - ipa/server + - config + when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists + +- name: deploy replica file + copy: src=/tmp/ipa_replica_{{inventory_hostname}}.gpg + dest=/root/ipa_replica_{{inventory_hostname}}.gpg + mode=0600 owner=root group=root + tags: + - ipa/server + - config + when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists + +- name: destroy replica file on ansible host + delegate_to: localhost + file: path=/tmp/ipa_replica_{{inventory_hostname}}.gpg state=absent + tags: + - ipa/server + - config + when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists + +- name: deploy replica + command: ipa-replica-install + --setup-ca + --setup-kra + --password={{ipa_dm_password}} + --admin-password={{ipa_admin_password}} + --mkhomedir + --no-ntp + --unattended + --no-ssh + --no-sshd + --setup-dns + --forwarder=10.5.126.21 + --forwarder=10.5.126.22 + --skip-conncheck + --log-file=/var/log/ipainstall.log + /root/ipa_replica_{{inventory_hostname}}.gpg + creates=/etc/ipa/default.conf + tags: + - ipa/server + - config + when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists + +- name: Deploy configuration script + copy: src=configure-ipa.sh dest=/root/configure-ipa.sh mode=0700 owner=root group=root + register: config_deployed + tags: + - ipa/server + - config + when: inventory_hostname.startswith("ipa01") + +- name: Run configuration script + command: /bin/bash /root/configure-ipa.sh {{ipa_dm_password}} {{ipa_admin_password}} + tags: + - ipa/server + - config + when: inventory_hostname.startswith("ipa01") and config_deployed.changed |